Message ID | 20210222175850.1131780-1-saulo.alessandre@gmail.com (mailing list archive) |
---|---|
State | Superseded |
Delegated to: | Herbert Xu |
Headers | show |
Series | [v2,1/3] add params and ids to support nist_p384 | expand |
On 2/22/21 12:58 PM, Saulo Alessandre wrote: > From: Saulo Alessandre <saulo.alessandre@tse.jus.br> > > * crypto/asymmetric_keys/x509_cert_parser.c > - prepare x509 parser to load nist_secp384r1 > > * crypto/ecc_curve_defs.h > - add nist_p384 params > > * include/crypto/ecdh.h > - add ECC_CURVE_NIST_P384 > > * include/linux/oid_registry.h > - reorder OID_id_ecdsa_with_sha1 > - add OID_id_secp384r1 > > Signed-off-by: Saulo Alessandre <saulo.alessandre@tse.jus.br> I would separate this patch into an x509: and certs: part since it touches two subsystems. I can take this series of patches and post my v9 including them at the end. This would make it easier for others to test. I would massage them a bit, including the separation of the 1st patch into 2 patches, if you don't mind, preserving your Signed-off-by. I need to fix something in my v8 regarding registration failure handling. Let me know whether this is fine with you. I had tested your patches over the weekend with my endless test tool creating keys in user space and loading them into the kernel. It worked fine for NIST p256 & p384. Also signing kernel modules with NIST p384 is working fine. So, for the series: Tested-by: Stefan Berger <stefanb@linux.ibm.com> Regards, Stefan
Em seg., 22 de fev. de 2021 às 17:26, Stefan Berger <stefanb@linux.ibm.com> escreveu: > > On 2/22/21 12:58 PM, Saulo Alessandre wrote: > > From: Saulo Alessandre <saulo.alessandre@tse.jus.br> > > > > * crypto/asymmetric_keys/x509_cert_parser.c > > - prepare x509 parser to load nist_secp384r1 > > > > * crypto/ecc_curve_defs.h > > - add nist_p384 params > > > > * include/crypto/ecdh.h > > - add ECC_CURVE_NIST_P384 > > > > * include/linux/oid_registry.h > > - reorder OID_id_ecdsa_with_sha1 > > - add OID_id_secp384r1 > > > > Signed-off-by: Saulo Alessandre <saulo.alessandre@tse.jus.br> > > I would separate this patch into an x509: and certs: part since it > touches two subsystems. > > I can take this series of patches and post my v9 including them at the > end. This would make it easier for others to test. I would massage them > a bit, including the separation of the 1st patch into 2 patches, if you > don't mind, preserving your Signed-off-by. I need to fix something in my > v8 regarding registration failure handling. Let me know whether this is > fine with you. For me it's ok. > > I had tested your patches over the weekend with my endless test tool > creating keys in user space and loading them into the kernel. It worked > fine for NIST p256 & p384. Also signing kernel modules with NIST p384 is > working fine. > > So, for the series: > > Tested-by: Stefan Berger <stefanb@linux.ibm.com> > > Regards, > > Stefan > > Regards
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index d6d72420307c..03535bd8b8ef 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -512,6 +512,9 @@ int x509_extract_key_data(void *context, size_t hdrlen, case OID_id_prime256v1: ctx->cert->pub->pkey_algo = "ecdsa-nist-p256"; break; + case OID_id_secp384r1: + ctx->cert->pub->pkey_algo = "ecdsa-nist-p384"; + break; default: return -ENOPKG; } diff --git a/crypto/ecc_curve_defs.h b/crypto/ecc_curve_defs.h index 69be6c7d228f..b327732f6ef5 100644 --- a/crypto/ecc_curve_defs.h +++ b/crypto/ecc_curve_defs.h @@ -54,4 +54,36 @@ static struct ecc_curve nist_p256 = { .b = nist_p256_b }; +/* NIST P-384 */ +static u64 nist_p384_g_x[] = { 0x3A545E3872760AB7ull, 0x5502F25DBF55296Cull, + 0x59F741E082542A38ull, 0x6E1D3B628BA79B98ull, + 0x8Eb1C71EF320AD74ull, 0xAA87CA22BE8B0537ull }; +static u64 nist_p384_g_y[] = { 0x7A431D7C90EA0E5Full, 0x0A60B1CE1D7E819Dull, + 0xE9DA3113B5F0B8C0ull, 0xF8F41DBD289A147Cull, + 0x5D9E98BF9292DC29ull, 0x3617DE4A96262C6Full }; +static u64 nist_p384_p[] = { 0x00000000FFFFFFFFull, 0xFFFFFFFF00000000ull, + 0xFFFFFFFFFFFFFFFEull, 0xFFFFFFFFFFFFFFFFull, + 0xFFFFFFFFFFFFFFFFull, 0xFFFFFFFFFFFFFFFFull }; +static u64 nist_p384_n[] = { 0xECEC196ACCC52973ull, 0x581A0DB248B0A77Aull, + 0xC7634D81F4372DDFull, 0xFFFFFFFFFFFFFFFFull, + 0xFFFFFFFFFFFFFFFFull, 0xFFFFFFFFFFFFFFFFull }; +static u64 nist_p384_a[] = { 0x00000000FFFFFFFCull, 0xFFFFFFFF00000000ull, + 0xFFFFFFFFFFFFFFFEull, 0xFFFFFFFFFFFFFFFFull, + 0xFFFFFFFFFFFFFFFFull, 0xFFFFFFFFFFFFFFFFull }; +static u64 nist_p384_b[] = { 0x2a85c8edd3ec2aefull, 0xc656398d8a2ed19dull, + 0x0314088f5013875aull, 0x181d9c6efe814112ull, + 0x988e056be3f82d19ull, 0xb3312fa7e23ee7e4ull }; +static struct ecc_curve nist_p384 = { + .name = "nist_384", + .g = { + .x = nist_p384_g_x, + .y = nist_p384_g_y, + .ndigits = 6, + }, + .p = nist_p384_p, + .n = nist_p384_n, + .a = nist_p384_a, + .b = nist_p384_b +}; + #endif diff --git a/include/crypto/ecdh.h b/include/crypto/ecdh.h index a5b805b5526d..e4ba1de961e4 100644 --- a/include/crypto/ecdh.h +++ b/include/crypto/ecdh.h @@ -25,6 +25,7 @@ /* Curves IDs */ #define ECC_CURVE_NIST_P192 0x0001 #define ECC_CURVE_NIST_P256 0x0002 +#define ECC_CURVE_NIST_P384 0x0003 /** * struct ecdh - define an ECDH private key diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h index ff3cad9f8c1f..d656450dfc66 100644 --- a/include/linux/oid_registry.h +++ b/include/linux/oid_registry.h @@ -19,10 +19,10 @@ enum OID { OID_id_dsa_with_sha1, /* 1.2.840.10030.4.3 */ OID_id_dsa, /* 1.2.840.10040.4.1 */ - OID_id_ecdsa_with_sha1, /* 1.2.840.10045.4.1 */ OID_id_ecPublicKey, /* 1.2.840.10045.2.1 */ OID_id_prime192v1, /* 1.2.840.10045.3.1.1 */ OID_id_prime256v1, /* 1.2.840.10045.3.1.7 */ + OID_id_ecdsa_with_sha1, /* 1.2.840.10045.4.1 */ OID_id_ecdsa_with_sha224, /* 1.2.840.10045.4.3.1 */ OID_id_ecdsa_with_sha256, /* 1.2.840.10045.4.3.2 */ OID_id_ecdsa_with_sha384, /* 1.2.840.10045.4.3.3 */ @@ -64,6 +64,7 @@ enum OID { OID_certAuthInfoAccess, /* 1.3.6.1.5.5.7.1.1 */ OID_sha1, /* 1.3.14.3.2.26 */ + OID_id_secp384r1, /* 1.3.132.0.34 */ OID_sha256, /* 2.16.840.1.101.3.4.2.1 */ OID_sha384, /* 2.16.840.1.101.3.4.2.2 */ OID_sha512, /* 2.16.840.1.101.3.4.2.3 */